1 # Copyright (c) 2022 Intel and/or its affiliates.
2 # Licensed under the Apache License, Version 2.0 (the "License");
3 # you may not use this file except in compliance with the License.
4 # You may obtain a copy of the License at:
6 # http://www.apache.org/licenses/LICENSE-2.0
8 # Unless required by applicable law or agreed to in writing, software
9 # distributed under the License is distributed on an "AS IS" BASIS,
10 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 # See the License for the specific language governing permissions and
12 # limitations under the License.
14 """WireGuard utilities library."""
16 from ipaddress import ip_address
17 from cryptography.hazmat.primitives.serialization import Encoding, \
18 PrivateFormat, PublicFormat, NoEncryption
19 from cryptography.hazmat.primitives.asymmetric.x25519 import \
22 from resources.libraries.python.InterfaceUtil import InterfaceUtil
23 from resources.libraries.python.IPUtil import IPUtil
24 from resources.libraries.python.PapiExecutor import PapiSocketExecutor
27 """This class defines the methods to set WireGuard."""
30 def public_key_bytes(k):
31 """Return the public key as byte.
33 :param k: Generated public key.
34 :type: x25519._X25519PublicKey object
38 return k.public_bytes(Encoding.Raw, PublicFormat.Raw)
41 def private_key_bytes(k):
42 """Return the private key as byte.
44 :param k: Generated private key.
45 :type: x25519._X25519PrivateKey object
46 :returns: Private key.
49 return k.private_bytes(Encoding.Raw, PrivateFormat.Raw, NoEncryption())
52 def generate_wireguard_privatekey_and_pubkey():
53 """Generate a pair of WireGuard Private key and Public key.
55 :returns: A pair of privatekey and publickey
56 :rtype: x25519._X25519PublicKey object
58 privatekey = X25519PrivateKey.generate()
59 pubkey = privatekey.public_key()
60 private_key = WireGuardUtil.private_key_bytes(privatekey)
61 public_key = WireGuardUtil.public_key_bytes(pubkey)
62 return private_key, public_key
65 def vpp_wireguard_create_interface(
66 node, listen_port, wg_src, private_key):
67 """Create WireGuard interface.
69 :param node: VPP node to add config on.
70 :param listen_port: WireGuard interface listen port.
71 :param wg_src: WireGuard srouce IPv4.
72 :param private_key: WireGuard interface private key
74 :type listen_port: int
76 :type private_key: bytes
77 :returns: Wireguard interface sw_if_index.
80 cmd = u"wireguard_interface_create"
81 err_msg = f"Failed to create wireguard interface" \
82 f"on host {node[u'host']}"
83 src_ip = ip_address(wg_src)
86 port=int(listen_port),
88 private_key=private_key,
92 with PapiSocketExecutor(node) as papi_exec:
94 papi_exec.add(cmd, **args).get_sw_if_index(err_msg)
98 def vpp_wireguard_add_peer(
99 node, interface, peer_pubkey, endpoint_ip,
100 allowed_ips, n_allowed_ips, dst_port, keepalive_time):
101 """Add a peer for WireGuard interface.
103 :param node: VPP node to add config on.
104 :param interface: WireGuard interface sw_if_index.
105 :param peer_pubkey: Public key of wireguard interface peer.
106 :param endpoint_ip: Peer source IPv4.
107 :param allowed_ips: WireGuard interface allowed ips list.
108 :param n_allowed_ips: Number of allowed ips.
109 :param dst_port: WireGuard destination port.
110 :param keepaliva time: WireGuard persistent keepalive time.
113 :type peer_pubkey: bytes
114 :type endpoint_ip: str
115 :type allowed_ips: list
116 :type n_allowed_ips: int
118 :type keepalive_time: int
120 endpoint_ip = ip_address(endpoint_ip)
121 wg_name = InterfaceUtil.vpp_get_interface_name(
122 node, sw_if_index=interface
124 cmd = u"wireguard_peer_add"
125 err_msg = f"Failed to add wireguard interface" \
126 f"{wg_name} peer on host {node[u'host']}"
129 public_key=peer_pubkey,
131 endpoint=endpoint_ip,
132 sw_if_index=interface,
133 persistent_keepalive=int(keepalive_time),
134 n_allowed_ips=int(n_allowed_ips),
135 allowed_ips=allowed_ips
138 with PapiSocketExecutor(node) as papi_exec:
139 papi_exec.add(cmd, **args).get_reply(err_msg)
142 def _wireguard_create_tunnel_interface_on_dut(
143 node, if1_key, if2_mac_addr, src_ip, peer_endpoint_ip,
144 peer_allowed_ips, peer_n_allowed_ips, dut_wg_ip, port,
145 keepalive_time, dut_private_key, peer_pubkey):
146 """Create WireGuard tunnel interface on one DUT node using PAPI.
148 :param node: VPP node as DUT to create tunnel interface.
149 :param if1_key: VPP node as DUT interface key from topology file.
150 :param if2_mac_addr: Vpp node on the other end/ TG node
151 (in case of 2-node topology) interface mac address.
152 :param src_ip: WireGuard source IPv4 address.
153 :param peer_endpoint_ip: Peer source IPv4 address.
154 :param peer_allowed_ips: WireGuard peer interface allowed ip list.
155 :param peer_n_allowed ips: Number of peer allowed ips.
156 :param dut_wg_ip: WireGuard interface ip address on DUT.
157 :param port: WireGuard interface listen port or
158 Peer interface destination port.
159 :param keepalive_time: WireGuard persistent keepalive time.
160 :param dut_private_key: WireGuard interface private key of DUT.
161 :param peer_pubkey: WireGuard Peer interface public key.
164 :type if2_mac_addr: str
166 :type peer_endpoint_ip: src
167 :type peer_allowed_ips: list
168 :type peer_n_allowed_ips: int
171 :type keepalive_time: int
172 :type dut_private_key: bytes
173 :type peer_pubkey: bytes
175 #Set IP address on VPP node interface
176 IPUtil.vpp_interface_set_ip_address(node, if1_key, src_ip, 24)
177 IPUtil.vpp_add_ip_neighbor(
178 node, if1_key, peer_endpoint_ip, if2_mac_addr
180 #Create Wireguard interface on DUT
181 dut_wg_sw_index = WireGuardUtil.vpp_wireguard_create_interface(
182 node, port, src_ip, dut_private_key
185 WireGuardUtil.vpp_wireguard_add_peer(
186 node, dut_wg_sw_index, peer_pubkey, peer_endpoint_ip,
187 peer_allowed_ips, peer_n_allowed_ips, port, keepalive_time
189 #Set wireguard interface up
190 InterfaceUtil.set_interface_state(node, dut_wg_sw_index, state=u'up')
191 #Set wireguard interface IP address
192 cmd = u'sw_interface_add_del_address'
194 sw_if_index=dut_wg_sw_index,
197 prefix=IPUtil.create_prefix_object(ip_address(dut_wg_ip), 24)
199 err_msg = f"Failed to set IP address on wg interface " \
200 f"on host {node[u'host']}"
201 with PapiSocketExecutor(node) as papi_exec:
202 papi_exec.add(cmd, **args).get_reply(err_msg)
203 #Set route on VPP node as DUT wg interface
204 for allowed_ip in peer_allowed_ips:
205 traffic_addr = ip_address(
206 allowed_ip[u'address'][u'un'][u'ip4']
208 prefix_len = allowed_ip[u'len']
209 IPUtil.vpp_route_add(
210 node, traffic_addr, prefix_len,
211 gateway=(traffic_addr+1).compressed,
212 interface=dut_wg_sw_index
216 def vpp_wireguard_create_tunnel_interface_on_duts(
217 nodes, if1_key, if2_key, if1_ip_addr, if2_ip_addr,
218 if1_mac_addr, if2_mac_addr, wg_if1_ip_addr, wg_if2_ip_addr,
219 n_allowed_ips, port, keepalive_time, raddr_ip1, raddr_ip2):
220 """Create WireGuard tunnel interfaces between two VPP nodes.
222 :param nodes: VPP nodes to create tunnel interfaces.
223 :param if1_key: VPP node 1 interface key from topology file.
224 :param if2_key: VPP node 2 / TG node (in case of 2-node topology)
225 :param if1_ip_addr: VPP node 1 interface IPv4/IPv6 address.
226 :param if2_ip_addr: VPP node 2 / TG node
227 (in case of 2-node topology) interface IPv4/IPv6 address.
228 :param if1_mac_addr: VPP node1 interface mac address.
229 :param if2_mac_addr: VPP node2 interface mac address.
230 :param wg_if1_ip_addr: VPP node 1 WireGuard interface IPv4 address.
231 :param wg_if2_ip_addr: VPP node 2 WireGuard interface IPv4 address.
232 :param allowed_ips: WireGuard interface allowed ip list.
233 :param n_allowed_ips: Number of allowed ips.
234 :param port: WireGuard interface listen port or
235 Peer interface destination port.
236 :param keepalive_time: WireGuard persistent keepalive time.
237 :param raddr_ip1: Policy selector remote IPv4/IPv6 start address
238 for the first tunnel in direction node1->node2.
239 :param raddr_ip2: Policy selector remote IPv4/IPv6 start address
240 for the first tunnel in direction node2->node1.
244 :type if1_ip_addr: str
245 :type if2_ip_addr: str
246 :type if1_mac_addr: str
247 :type if2_mac_addr: str
248 :type wg_if1_ip_addr: str
249 :type wg_if2_ip_addr: str
250 :type allowed_ips: str
251 :type n_allowed_ips: int
253 :type keepalive_time: int
257 dut1_privatekey, dut1_pubkey = \
258 WireGuardUtil.generate_wireguard_privatekey_and_pubkey()
259 dut2_privatekey, dut2_pubkey = \
260 WireGuardUtil.generate_wireguard_privatekey_and_pubkey()
261 raddr_ip1 = ip_address(raddr_ip1)
262 raddr_ip2 = ip_address(raddr_ip2)
264 [IPUtil.create_prefix_object(raddr_ip2, 24),]
266 [IPUtil.create_prefix_object(raddr_ip1, 24),]
267 #Configure WireGuard interface on DUT1
268 WireGuardUtil._wireguard_create_tunnel_interface_on_dut(
269 nodes[u'DUT1'], if1_key, if2_mac_addr, if1_ip_addr, if2_ip_addr,
270 dut1_allowed_ips, n_allowed_ips, wg_if1_ip_addr, port,
271 keepalive_time, dut1_privatekey, dut2_pubkey
273 #Configure WireGuard interface on DUT2
274 WireGuardUtil._wireguard_create_tunnel_interface_on_dut(
275 nodes[u'DUT2'], if2_key, if1_mac_addr, if2_ip_addr, if1_ip_addr,
276 dut2_allowed_ips, n_allowed_ips, wg_if2_ip_addr, port,
277 keepalive_time, dut2_privatekey, dut1_pubkey